nixos-config/hosts/plover/modules/services/portunus.nix

# The LDAP server of choice. Though, it really uses OpenLDAP as the backend so
# it's really more like a nice frontend for it so you don't have to experience
# the pain of managing an OpenLDAP server.
{ config, lib, pkgs, ... }:

let
  ldapDomain = "ldap.${config.networking.fqdn}";
  portunusUser = config.users.users."${config.services.portunus.user}".name;
in
{
  sops.secrets = lib.getSecrets ../../secrets/secrets.yaml {
    "ldap/users/foodogsquared/password".owner = portunusUser;
  };

  services.portunus = {
    enable = true;

    port = 8168;
    domain = ldapDomain;

    ldap = {
      searchUserName = "admin";
      suffix = "dc=foodogsquared,dc=one";
    };

    seedPath =
      let
        seedData = {
          groups = [
            {
              name = "admin-team";
              long_name = "Portunus Administrators";
              members = [ "foodogsquared" ];
              permissions = {
                portunus.is_admin = true;
                ldap.can_read = true;
              };
            }
          ];
          users = [
            {
              login_name = "foodogsquared";
              given_name = "Gabriel";
              family_name = "Arazas";
              email = "foodogsquared@foodogsquared.one";
              ssh_public_keys =
                let
                  readFiles = list: lib.lists.map (path: lib.readFile path) list;
                in
                readFiles [
                  ../../../../users/home-manager/foo-dogsquared/files/ssh-key.pub
                  ../../../../users/home-manager/foo-dogsquared/files/ssh-key-2.pub
                ];
              password.from_command = [ "${pkgs.coreutils}/bin/cat" config.sops.secrets."ldap/users/foodogsquared/password".path ];
            }
          ];
        };
        settingsFormat = pkgs.formats.json { };
      in
      settingsFormat.generate "portunus-seed" seedData;
  };

  # Getting this to be accessible in the reverse proxy of choice.
  services.nginx.virtualHosts."${ldapDomain}" = {
    locations."/" = {
      proxyPass = "http://localhost:${toString config.services.portunus.port}";
    };
  };
}
hosts/plover: modularize config 2023-01-12 13:22:55 +00:00			`# The LDAP server of choice. Though, it really uses OpenLDAP as the backend so`
			`# it's really more like a nice frontend for it so you don't have to experience`
			`# the pain of managing an OpenLDAP server.`
			`{ config, lib, pkgs, ... }:`

			`let`
hosts/plover: update domain names for internal services 2023-02-08 11:05:23 +00:00			`ldapDomain = "ldap.${config.networking.fqdn}";`
config: convert to lib.getSecrets 2023-07-05 03:38:58 +00:00			`portunusUser = config.users.users."${config.services.portunus.user}".name;`
chore: format the codebase 2023-01-18 03:41:12 +00:00			`in`
			`{`
config: convert to lib.getSecrets 2023-07-05 03:38:58 +00:00			`sops.secrets = lib.getSecrets ../../secrets/secrets.yaml {`
hosts: remove host path prefix for sops keys It is more explicit and elegant but more of a pain to manage especially with the new function. It was structured that way for other hosts' secrets but it isn't really used in practice. We could just enforce a convention such as a `hosts` prefix to contain those secrets. 2023-07-05 05:11:47 +00:00			`"ldap/users/foodogsquared/password".owner = portunusUser;`
config: convert to lib.getSecrets 2023-07-05 03:38:58 +00:00			`};`

hosts/plover: modularize config 2023-01-12 13:22:55 +00:00			`services.portunus = {`
			`enable = true;`

			`port = 8168;`
			`domain = ldapDomain;`

			`ldap = {`
			`searchUserName = "admin";`
			`suffix = "dc=foodogsquared,dc=one";`
			`};`

chore: format the codebase 2023-01-18 03:41:12 +00:00			`seedPath =`
			`let`
			`seedData = {`
			`groups = [`
			`{`
			`name = "admin-team";`
			`long_name = "Portunus Administrators";`
			`members = [ "foodogsquared" ];`
			`permissions = {`
			`portunus.is_admin = true;`
			`ldap.can_read = true;`
			`};`
			`}`
			`];`
			`users = [`
			`{`
			`login_name = "foodogsquared";`
			`given_name = "Gabriel";`
			`family_name = "Arazas";`
hosts/plover: update Portunus config 2023-02-10 02:15:14 +00:00			`email = "foodogsquared@foodogsquared.one";`
chore: format the codebase 2023-01-18 03:41:12 +00:00			`ssh_public_keys =`
			`let`
			`readFiles = list: lib.lists.map (path: lib.readFile path) list;`
			`in`
			`readFiles [`
			`../../../../users/home-manager/foo-dogsquared/files/ssh-key.pub`
			`../../../../users/home-manager/foo-dogsquared/files/ssh-key-2.pub`
			`];`
hosts: remove host path prefix for sops keys It is more explicit and elegant but more of a pain to manage especially with the new function. It was structured that way for other hosts' secrets but it isn't really used in practice. We could just enforce a convention such as a `hosts` prefix to contain those secrets. 2023-07-05 05:11:47 +00:00			`password.from_command = [ "${pkgs.coreutils}/bin/cat" config.sops.secrets."ldap/users/foodogsquared/password".path ];`
chore: format the codebase 2023-01-18 03:41:12 +00:00			`}`
			`];`
			`};`
			`settingsFormat = pkgs.formats.json { };`
			`in`
			`settingsFormat.generate "portunus-seed" seedData;`
hosts/plover: modularize config 2023-01-12 13:22:55 +00:00			`};`

			`# Getting this to be accessible in the reverse proxy of choice.`
			`services.nginx.virtualHosts."${ldapDomain}" = {`
			`locations."/" = {`
			`proxyPass = "http://localhost:${toString config.services.portunus.port}";`
			`};`
			`};`
			`}`